Date: Wed, 16 Aug 2017 09:03:40 -0400 From: Mike Tancsa <mike@sentex.net> To: Borja Marcos <borjam@sarenet.es> Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>, Andriy Gapon <avg@freebsd.org> Subject: Re: protecting zfs snapshot info Message-ID: <2b83528d-55a0-7c40-c11d-d341f8f46e47@sentex.net> In-Reply-To: <003E0B0C-95C5-4D0B-91DB-393877480BDE@sarenet.es> References: <d7fa3f0c-e00a-9c41-5430-1f381f71d3e0@sentex.net> <52984307-2C6C-454C-A69B-15FB4AE01E1B@sarenet.es> <5e3145ab-246a-f213-80b0-000dd801fbef@sentex.net> <b911a1d7-02ae-c16e-2534-f7b1b44215f7@sentex.net> <003E0B0C-95C5-4D0B-91DB-393877480BDE@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
cc'ing Andriy who knows a lot of ZFS... Andriy, is there any chance something like this is in the works in ZFS ? ---Mike On 8/16/2017 6:12 AM, Borja Marcos wrote: > >> On 15 Aug 2017, at 14:20, Mike Tancsa <mike@sentex.net> wrote: >> >> On 8/14/2017 8:57 AM, Mike Tancsa wrote: >>> On 8/14/2017 2:47 AM, Borja Marcos wrote: >>>> >>>>> On 12 Aug 2017, at 19:14, Mike Tancsa <mike@sentex.net> wrote: >>>>> >>>>> >>>>> Is there a way in zfs to protect non root users from seeing snapshots ? >> >>>> Good question and it’s a problem indeed. The .zfs directory is always created >>>> and it can be hidden but it’s still accessible. It’s a security problem that prevents >>>> an effective access revocation for a directory/file, I guess that’s what you mean. >>> >>> Yes, something like an extra option >>> hidden | visible | unmounted >> >> I did come across this thread >> >> https://github.com/zfsonlinux/zfs/issues/3963 >> >> but it seems Linux specific or at least I dont see how its done on FreeBSD. > > Yes, it seems to be Linux specific and as far as I know there’s no way to do it on FreeBSD right now. > > I would vouch for a third state added to the “snapdir” variable, but I wouldn’t call it “disabled”. “unmounted” or > maybe “noauto” is much better in my opinion. The .zfs directory should still be created (maybe hidden when > in “noauto” state in order to prevent it from being created by a user. > > I don’t think a new permission is needed to control that variable, though. The “snapshot” permission > implies that “mount” should be allowed as well at least in the current versions. So it’s redundant. Or, > actually, the “noauto” value for “snapdir” would eliminate the requirement for “mount” permissions. > > I mean: Right now the “snapshot” permission requires “mount” because the snapshot is mounted upon creation > like it or not. If the snapshot was not automatically mounted thanks to the “noauto” value for “snapdir” it would be > possible to have a user authorized to manage snapshots but unable to mount them. > > Given the very sensible nature of “mount” in Unix it makes sense. > > > > > > > > Borja. > > > > -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2b83528d-55a0-7c40-c11d-d341f8f46e47>